Lecture 20+21 Lecturer: Aaron Roth Scribe: Aaron Roth

Home , Mechanism design

CIS 800/002 The Algorithmic Foundations of Data Privacy November {22, 29}, 2011 Lecture 20+21 Lecturer: Aaron Roth Scribe: Aaron Roth

Diﬀerential Privacy and Mechanism Design

In this lecture, we’ll give a brief introduction to mechanism design, and see how diﬀerentially private mechanisms can be used as a building block in building truthful mechanisms. We’ll start with the very simple example of a single item auction. Suppose an auctioneer has a single item for sale. Bidders i ∈ [n] each have a private valuation for the item vi. If a bidder i wins the item, but must pay pi dollars, then his total utility is ui = vi − pi. Bidders are rational, and will act to maximize their utility. As mechanism designers, we get to design the auction rule to achieve some goal. Suppose we want to maximize social welfare: to allocate the item to the person who wants it the most. Consider the following simple auction rule: FirstPrice:

1. Each bidder i submits a bid bi.

∗ 2. i = arg maxi∈[n] bi

∗ 3. Allocate the item to bidder i in exchange for payment pi∗ = bi∗ How should rational bidders behave? Its not clear...

Example 1 Suppose n = 2 and v1 = 10, v2 = 4. Truthful bidding is not optimal: it results in 1 winning the item and getting utility u1 = 10 − 10 = 0. If 2 bids 4, then 1 should bid 4 + ... But 2 might also shade his bid.. What if they don’t know each others value? As we see, it is not at all clear how agents will bid. Without knowing how the agents bid, we can’t say anything about the performance of the mechanism! It allocates the item to the person who reported the highest value, but this might not be the person with the highest value... SecondPrice:

1. Each bidder i submits a bid bi.

∗ 2. i = arg maxi∈[n] bi

∗ 3. i2 = arg maxi∈[n]\{i∗} bi ∗ 4. Allocate the item to bidder i in exchange for payment p ∗ = b ∗ i i2

Unlike FirstPrice, it is always in each persons best interest to truthfully report bi = vi in secondprice. Write b−i to denote the set of all bids bj for j 6= i.

n−1 0 Claim 1 For all i, b−i ∈ R , bi ∈ R:

0 ui(SecondPrice(bi, b−i)) ≥ ui(SecondPrice(bi, b−i)) Proof By case analysis

We have just shown that SecondPrice is truthful or incentive compatible. It is always in each person’s best interest to bid their true value. Therefore, because it allocates the item to the individual with the highest reported valuation, if agents are rational, it also succeeds in allocating the item with the highest true valuation, which was our objective. Of course, we needed to introduce payments to make the above mechanism truthful. What do we do if, as in many situations (elections, public works, organ transplants, ...) payments are not allowed? Lets now make some general deﬁnitions.

20+21-1 Deﬁnition 2 (The Environment) An environment is determined by: 1. A set N of n players.

2. A set of types Ti for each player i ∈ N. (e.g. values vi in the auction setting) 3. A ﬁnite set S of social alternatives (e.g. allocations in the auction setting)

4. A set of reactions Ri for each player i ∈ N.

5. A utility function ui : Ti × S × Ri → [0, 1] for each agent i. We write T for Q T and t ∈ T . Write r (t, s, Rˆ ) ∈ arg max u (t, s, r) to denote i’s optimal −i j6=i i −i −i i i r∈Rî i reaction to type t and alternative s among choices Rî ⊆ Ri. A direct revelation mechanism M defines a game which is played as follows:

0 1. Each player i reports a type ti ∈ Ti.

2. The mechanism chooses an alternative s ∈ S and a subset of reactions for each player Rˆi ⊆ Ri.

3. Each player chooses a reaction ri ∈ Rˆi and experiences utility ui(ti, s, ri). Agents play so as to maximize their own utility. Note that since there is no further interaction after the 3rd step, rational agents will pick ri = ri(ti, s, Rˆi), and so we can ignore this as a strategic step. Let Ri Qn Ri = 2 and let R = i=1 Ri. Then a mechanism is a randomized mapping M : T → S × R. We 0 0 denote agents expected utilities for reporting a type ti when all other agents report type t−i as:

0 0 ˆ ui(ti, M(ti, t−i)) = E ˆ 0 0 [ui(ti, s, ri(ti, s, Ri))] s,Ri∼M(ti,t−i) We want to design mechanisms that incentivize truthful reporting.

0 Deﬁnition 3 A mechanism M is dominant strategy truthful if for all i ∈ N, ti ∈ Ti and t−i ∈ T−i:

0 0 0 ui(ti, M(ti, t−i)) ≥ ui(ti, M(ti, t−i))

0 It is strictly dominant strategy truthful if for each ti, there exists a t−i that makes the inequality strict. i.e. given a truthful mechanism, no rational agent ever has any incentive to lie about his type. We can also deﬁne an approximate version of truthfulness:

Deﬁnition 4 A mechanism M is -approximately dominant strategy truthful if for all i ∈ N, ti ∈ Ti 0 and t−i ∈ T−i: 0 0 0 ui(ti, M(ti, t−i)) ≥ ui(ti, M(ti, t−i)) − For an approximately truthful mechanism, agents may have incentive to lie, but the incentive is only very small. Note that it is very easy to design a mechanism that is truthful: we can merely ignore the reported types, and pick a random alternative s ∈ S. But as mechanism designers, we will also have some objective that we wish to optimize – e.g. in the auction example, we wished to allocate the item to the person who desired it the most. A common objective is to maximize the social welfare F : T ×S ×R → R deﬁned to be: n 1 X F (t, s, r) = u (t , s, r ) n i i i i=1

20+21-2 Deﬁnition 5 A mechanism M α-approximates an objective F if for all t:

E ˆ [F (t, s, r(t, s, Rˆ))] ≥ max F (t, s, r) − α s,R∼M t,s,r Ok! Now we can set about designing mechanisms. We will focus on the social welfare objective, but nothing here will be specific to that. First lets consider unrestricted mechanisms that always output Rî = Ri for each player. As differential privacy aficionados, our first attempt at constructing a useful mechanism might be to select an alternative s ∈ S from the exponential mechanism. Note that the social welfare objective is 1/n-sensitive, and so the exponential mechanism M(t) selects each s ∈ S with probability proportional to: exp(nF (t, s, r(t, s)/2)). This mechanism is -differentially private, but what can we say about its incentive properties? Call a mechanism non-imposing if it always outputs Rî = Ri. Such a mechanism is a mapping M : T → S. Theorem 6 For any ≤ 1, a non-imposing mechanism that is -differentially private is 2 approximately truthful.

0 Proof Fix any -diﬀerentially private mechanism M : T → S. For any i, ti, t−i we have: 0 u (t , M(t , t )) = E 0 [u (t , s)] i i i −i s∼M(ti,t−i) i i X 0 = Pr[M(ti, t−i) = s]ui(ti, s) s∈S X 0 0 ≥ exp(−)P r[M(ti, t−i) = s]ui(ti, s) s∈S 0 0 = exp(−)ui(ti, M(ti, t−i)) 0 0 ≥ ui(ti, M(ti, t−i)) − 2

Of course we also know that the exponential mechanism is pretty accurate as well. Translating our utility theorem for the exponential mechanism:

Theorem 7 M α-approximates the social welfare F for: 1 α = O (log |S|) n So this is pretty good already! We have a generic method of designing approximately truthful mechanisms with good utility guarantees (if n is large enough) for arbitrary type spaces and objective functions! This is something that does not exist in the mechanism design literature for exact truthfulness. On the other hand, we might want to do better.. Recall, why did we want truthfulness in the first place? It was because we wanted to guarantee that optimizing over reported types was as good as optimizing over true types. But if the mechanism is only approximately truthful, how do we know that the reported types are the true types? Why shouldn’t agents take their incentive to lie, however small? If we are to be satisfied with approximate truthfulness, we need further to assume that agents will not lie if given only a small incentive. Perhaps mis-reporting has some small external cost (guilt?), or perhaps the beneficial lie is difficult to find. In such cases, perhaps we can stop here. But in other cases, we would like an exactly truthful mechanism. The idea will be to randomize between a differentially private mechanism with good social welfare properties (i.e. the exponential mechanism), and a strictly truthful mechanism which punishes false reporting but which has poor social welfare properties. If we mix correctly, then we will get an exactly truthful mechanism with reasonable social welfare guarantees. Here is one such punishing mechanism which is simple, but not necessarily the best for a given problem:

20+21-3 P 0 Deﬁnition 8 The commitment mechanism M (t ) selects s ∈ S uniformly at random and sets Rˆi = 0 {ri(ti, s, Ri)}. i.e. it picks a random outcome, and then forces everyone to react as if their reported type is their true type.

Deﬁne the gap of an environment as:

0 γ = min max (ui(ti, s, ri(ti, s, Ri)) − ui(ti, s, ri(t , s, Ri))) 0 i i,ti6=ti,t−i s∈S i.e. γ is a lower bound over players and types of the worst-case cost (over s) of mis-reporting. Note that for each player, this worst-case is realized with probability at least 1/|S|. Therefore we have the following simple observation:

0 Lemma 9 For all i, ti, ti, t−i: γ u (t , MP (t , t )) ≥ u (t , MP (t0 , t )) + i i i −i i i i −i |S| γ Note that the commitment mechanism is strictly truthful: every individual has at least a |S| incentive not to lie. This suggests a way to achieve an exactly truthful mechanism that also gets social welfare guarantees:

P Deﬁnition 10 The punishing exponential mechanism M (t) deﬁned with parameter 0 ≤ q ≤ 1 is:

1. With probability (1 − q) return M(t) 2. With probability q return MP (t).

0 Observe that by linearity of expectation, we have for all ti, ti, t−i: P P ui(ti, M (ti, t−i)) = (1 − q) · ui(ti, M(ti, t−i)) + q · ui(ti, M (ti, t−i)) γ ≥ (1 − q)(u (t , M (t0 , t )) − 2) + q u (t , MP (t0 , t )) + i i i −i i i i −i |S| γ = u (t , MP (t0 , t )) − (1 − q)2 + q i i i −i |S| γ = u (t , MP (t0 , t )) − 2 + q 2 + i i i −i |S| Therefore we have:

qγ P Theorem 11 If 2 ≤ |S| then M is strictly truthful. Note that we also have utility guarantees for this mechanism. Setting the parameter q so that we have a truthful mechanism: ˆ ˆ E ˆ P [F (t, s, r(t, s, R))] ≥ (1 − q) · E ˆ [F (t, s, r(t, s, R))] s,R∼M s,R∼M 2|S| = 1 − · E ˆ [F (t, s, r(t, s, Rˆ))] γ s,R∼M 2|S| 1 = 1 − · max F (t, s, r) − O log |S| γ t,s,r n 2|S| 1 ≥ max F (t, s, r) − − O log |S| t,s,r γ n Setting s ! log |S|γ = O |S|n

20+21-4 we ﬁnd: s ! ˆ |S| log |S| Es,Rˆ∼MP [F (t, s, r(t, s, R))] ≥ max F (t, s, r) − O t,s,r γn

Note that in this calculation, we assume that ≤ γ/(2|S|) so that the q ≤ 1 and the mechanism is well deﬁned. This is true for suﬃciently large n. That is, we have shown:

P Theorem 12 For suﬃciently large n, M is α-approximates the social welfare F for: s ! |S| log |S| α = O γn

Note that this mechanism is truthful without the need for payments! Lets now consider an application of this framework: the facility location game. Suppose that a city wants to build k hospitals to minimize the average distance between each citizen and their closest hospital. To simplify matters, we make the mild assumption that the city is built on a discretization of the unit line1. Formally, for all i let: 1 2 L(m) = {0, , ,..., 1} m m denote the discrete unit line with step-size 1/m. |L(m)| = m + 1. Let Ti = Ri = L(m) for all i and let |S| = L(m)k. Deﬁne the utility of agent i to be:

−|t − r |, If r ∈ s; u (t , s, r ) = i i i i i i −1, otherwise.

Note that ri(ti, s) is here the closest facility ri ∈ s. We can instantiate Theorem 12. Note that in our case, we have: |S| = (m + 1)k and γ = 1/m 0 (Because any two positions ti 6= ti diﬀer by at least 1/m). Hence, we have: P Theorem 13 M instantiated for the facility location game is strictly truthful and α-accurate for: r ! km(m + 1)k log m α = O n

The exponential dependence on k can be removed by a more careful analysis of the punishment mechanism M P .

Bibliographic Information This lecture is based on a paper of Nissim, Smorodinsky, and Tennenholtz, “Approximately Optimal Mechanism Design via Diﬀerential Privacy,” 2010, which continues a line of research initiated by the work of McSherry and Talwar, “Mechanism Design via Diﬀerential Privacy”, 2007.

1Note that if this is not the case, we can easily raze and then re-build the city.

20+21-5